On Thu, Aug 17, 2017 at 6:30 PM, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
> I guess I am making progress. I am not getting SAN into the root cert. my
> cnf has in it:
>
> [ req ]
> # Options for the `req` tool (`man req`).
> default_bits = 2048
> prompt = no
> distinguished_name = req_distinguished_name
> string_mask = utf8only
> req_extensions = req_ext
>
> [ req_ext ]
> #subjectAltName = email:$ENV::adminemail
> #subjectAltName = email:admin@xxxxxxxxxxxxxxx
> subjectAltName = IP:192.168.24.1
>
> I tried all three above alternatives for SAN. No SAN in the root cert
> created with:
>
> openssl req -config openssl-root.cnf -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
>
> Thanks for any insight.
>
> This type of cnf worked for creating a CSR and with the copy option the SAN
> made it into the cert.
It looks a bit unusual for a Root CA.
As far as signing the CSR, you need
copy_extensions = copy
Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
